Easy Anti-Cheat: We have investigated recent reports of a potential RCE issue within EAC. At this time - we are confident that there is no RCE vulnerability within EAC being exploited.

"We have investigated ourselves and have found we have done nothing wrong."

That's exactly how i read that. It's so bizzare that they get kernel access to so many computers, and don't even do the thing that they are supposed to do.

It's really disturbing how popular the notion that rootkit-based anti-cheat is a good thing is on the internet at large.

I love it when a thread like this comes up on Lemmy every single comment condemns EAC's whole anti-cheat model.

Y'all are all right.

While I am sceptical of rootkit based anti-cheat as well, I am also not a fan of how quickly everyone has jumped to assuming this is EAC's problem and not a problem with Apex Legends, is there some solid evidence for that that I'm just unaware of?
Kernel level and root kit are two different things. Please don't confuse them.

Says the company that took three years to implement a shopping cart for their shitty store.

If I was a hacker, I would be spending most of my effort attacking anticheats. Installing spyware on people's computer to prevent cheating is wrong. They should be doing what devs did before anticheat was invented - server side moderation.

I dunno about non-driver anti-cheats like EAC but Genshin Impact's kernel-level anti-cheat has been used to aid ransomware. Driver-level anti-cheat is certainly malware, that has been settled since Sony-BMG.
- Sony-BMG.
  Jeez that's a blast from the past. I remember the absolute shock and horror going around the internet when that story broke then it instantly being exploited by some clever dickhead for malware which I'm sure caused someone in Sony to have a cardiac arrest.
Honestly, most people who make cheats were also previously developers for anti-cheat software.
While I agree that anti-cheat software is spyware, server side moderation by humans would be incredibly costly on the company.
My vote is to just not have official servers for games anymore. Package the dedicated server files with every client and let the people playing the game host their own servers. Problem is solved twofold: server-sude moderation is now much more viable, and server hosting costs for the developers is eliminated.
- While I agree that anti-cheat software is spyware, server side moderation by humans would be incredibly costly on the company.
  It would also do a poor job at quickly responding to cheaters. Which is fine in some games, but in more competitive titles, the difference between a cheater getting caught in a round or two and a dozen or so is a big deal, with how many people had games effected.
  My vote is to just not have official servers for games anymore
  Nah, official servers are great for anything competitive, since they provide a single definitive competitive ladder and player base. Nobody gives a fuck about challenger rank 1 on Joe schmoe's home server where it's him and his buddies from school. Not to mention how difficult 8t would be to balance a game with next to no data to use.
gamers aren't usually a prime target, except for cryptominers...
an anticheat based cryptominer worm would be pretty terrible, now that i think about it...
- gamers aren’t usually a prime target, except for cryptominers…
  Don't many gamers often have a lot of money, considering those huge libraries of games as well as those very expensive PCs, I feel like it would make sense to target them, at the very least for the possibility of commandeering and selling their accounts, plus the ones who download this malware by opting to play games with Anti-cheats and bullying their friends who are unwilling or on the fence into using it, it seems like they would be easy targets.
If you were an actual hacker you'd be targeting web sites and Linux servers. Because that allows you to spread your payloads across huge populations easily.

So if it isn't a RCE vulnerability, what vulnerability is it?

Their wording is actually quite deliberate. They say there isn't one being exploited, but they do not explicitly say that there isn't a RCE vulnerability.
It kinda stinks of ass coverage.
"I did not have sexual relations with that woman"
- It stinks of lawyers checking the press release. They can't say "there is none" in the offchance that someone, sometime finds one. Then clients could point to this press release saying "SEE, YOU TOLD US THERE WAS NONE AND 25 YEARS LATER WE FOUND ONE". I bet they are telling the truth, just ran through a lawyer and PR team.
- Yeah, it stood out to me.
  It's always in what they don't say.
  If they say it's not a RCE vulnerability, it could still be a privilege escalation vulnerability etc. They avoided saying their software isn't being exploited or "we have seen no evidence our software has been compromised", or "there is no clear signs...".
  Which gives a little wriggle room.

I don't know much about anti-cheat development, but it can't possibly be that hard to at least implement something that checks whether a player even could have done something in a certain amount of time which would eliminate a lot of speed related cheats, and for the rest, why not look at data averages to try to weed out cheaters?

I know combing through the data is probably complicated, but so is installing kernel level anti cheat software that has to monitor every single process running on a person's computer.

It's cheaper to install malware.
That's all there is to it: cost.
Not how it works, and it is a huge science behind it all. First of all, you don't want false positives. People would ruin your game for it. The reviews would be awful and it would breed more cheaters (angry at a game that banned you for no reason? Make it ban you for a reason, ruining people's fun in the process and costing them money). Second, most of what you are talking about is already done on server side. Third, the concept of banwaves is a thing. You want to catch as many cheaters at once with a single detected cheat. If you ban someone at first sight, the cheatmaker will refund that first person and think up something worse immediately. If you ban 30k people, all of them flock to the cheatmaker asking for refunds. Which he can't obviously provide, since they already spent that money over the course of the time the cheat was active, etc. Fourth, lots of cheats are subtle enough to be "invisible" to any sort of detection. Guy has an overlay that shows people through walls. You can't ban overlays and the client needs to know where people are on the server, it just hides them. All you can see is what a human would see - a guy looking at people through walls, but trying to hide it. A guy with "incredible gamesense" basing their tactics on info he couldn't have gotten. A moderator that knows what to look for would see it. An admin that abuses power and bans everyone that's too highly skilled would also ban the cheater. But try writing anything that checks for the "averages" and you ban actually good players that use sound, etc. Same thing with aimbot - it's very obvious to someone looking at gameplay. But going off of statistics you ban everyone who "has a good day".
The way to do it, was how Valve handled it in CSGO. No idea if the system is still in. They basically tasked their community with being the judge and executioner. They would send you a replay in client, showing you 10 mins of the match. Sometimes they would send you a replay that they already know has a blatant cheater in it, to test if you actually say "ban" if you see one. They scored the judges, valuing better ones more and providing feedback saying "your case has banned a cheater". It was a slow process, but effective, or at least it would be if the game wasn't so incredibly popular and free. Obviously a live moderator would help a lot, but it's the next best thing.